Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACL checks for a combination of files & jwt backend not working #279

Open
DeveloperMarius opened this issue May 16, 2023 · 2 comments
Open

ACL checks for a combination of files & jwt backend not working #279

DeveloperMarius opened this issue May 16, 2023 · 2 comments

Comments

@DeveloperMarius
Copy link

Hey,

when I use the files backend, everything works as expected.

time="2023-05-16T08:39:07Z" level=debug msg="user admin acl authenticated with backend Files"
time="2023-05-16T08:39:07Z" level=debug msg="Acl is true for user admin"

But when I enable the jwt backend using auth_opt_backends files, jwt it gives me:

time="2023-05-16T08:50:37Z" level=debug msg="checking user admin with backend Files"
time="2023-05-16T08:50:38Z" level=debug msg="user admin authenticated with backend Files"
time="2023-05-16T08:50:38Z" level=debug msg="Acl check with backend Files"
time="2023-05-16T08:50:38Z" level=debug msg="Acl check with backend JWT"
time="2023-05-16T08:50:38Z" level=debug msg="jwt parse error: token contains an invalid number of segments"
time="2023-05-16T08:50:38Z" level=info msg="jwt local check acl error: token contains an invalid number of segments"
time="2023-05-16T08:50:38Z" level=debug msg="Acl is false for user admin"
time="2023-05-16T08:50:38Z" level=error msg="token contains an invalid number of segments"

I think the ACL check for the files backend is somehow skipped and because the jwt backend fails, I receive an error.
Or because the jwt backend fails (admin is not a jwt token), the files ACL check is skipped.

mosquitto.conf:

max_connections 1000
allow_anonymous false


listener 8081
protocol websockets
cafile  ***
keyfile  ***
certfile  ***
tls_version tlsv1.2

listener 1884
protocol mqtt
cafile ***
keyfile  ***
certfile  ***
tls_version tlsv1.2

log_dest file ***/mosquitto.log


plugin /mosquitto/go-auth.so

auth_opt_hasher pbkdf2
auth_opt_backends files, jwt
auth_opt_disable_superuser true

auth_opt_files_password_path ***/password.txt
auth_opt_files_acl_path ***/auth_files.acl

auth_opt_jwt_mode local
auth_opt_jwt_db mysql
auth_opt_jwt_userfield Username
auth_opt_jwt_userquery ***
auth_opt_jwt_secret ***

auth_opt_jwt_mysql_host ***
auth_opt_jwt_mysql_port 3306
auth_opt_jwt_mysql_user ***
auth_opt_jwt_mysql_password ***
auth_opt_jwt_mysql_dbname ***

auth_opt_auth_cache_seconds 30
auth_opt_acl_cache_seconds 30
auth_opt_auth_jitter_seconds 3
auth_opt_acl_jitter_seconds 3

auth_opt_log_level debug
auth_opt_log_dest file
auth_opt_log_file ***

auth_files.acl:

user admin
topic read #
topic write #

Thank you for this project and I am looking forward to your feedback.

~ Marius
@iegomez
Copy link
Owner

iegomez commented May 16, 2023

This sounds like a bug I'll need to look into, the error should be simply skipped and the ACL check pass because of the files entry.
That said, if you need a quick workaround, you can disable ACL checks for your JWT backends by registering it to only check users, while your Files backend checks for ACLs: https://github.com/iegomez/mosquitto-go-auth#registering-checks

@iegomez
Copy link
Owner

iegomez commented Jul 18, 2023

@bilgeexuu1 I think you're commenting in the wrong issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iegomez @DeveloperMarius